NO PRACTICAL IDEAL CYCLOTOMIC FAMILIES OF 
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, , Abstract. In this article, first we show that there are no ideal cyclotomic fam- 

Q, 1 mes °f pairing-friendly elliptic curves with embedding degree k when choosing 

fc-th cyclotomic polynomial and k = 2 m p n for some odd prime p and integers 
m > 0, n > 0. Then with the help of PARI/GP, we prove that there are no 
IQ , practical ideal cyclotomic families of pairing-friendly elliptic curves. 
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1. Introduction 



In recent years, the Tate pairing and the Weil pairing on elliptic curves over 
finite fields have been used to construct many novel cryptographic systems for 
which no other practical implementation is known, see [5, 6, 9, 15] for the pioneering 
work. The elliptic curves suitable for implementing pairing-based systems are called 
pairing-friendly elliptic curves. 

More precisely, a pairing-friendly elliptic curve over a finite field ¥ q contains a 

subgroup of large prime order r such that for some k, r\q k — 1 and r \ q l — 1 for 

C^\ ' < i < k, and the parameters q, r and k should be chosen such that the discrete 

logarithm problem is infeasible both in an order-r subgroup of E(¥ q ) and in ¥* k , 
and the arithmetic in ¥ q k is feasible. Here k is called the embedding degree of E 
with respect to r, and the ratio -^^ called the p-value of E with respect to r. 
^s \ Roughly speaking, pairing-friendly curves should have small embedding degree 

£f) • with respect to a large prime order subgroup. But Balasubramanian and Koblitz 

[1] showed that in general the embedding degree k can be expected to be around 
r. This makes pairing-friendly curves rare , for example see [17]. Thus they need 
specific constructions, see an exhaustive survey [8]. 

The main known strategy to construct pairing-friendly curves is as follows. Fix 
jrt | k > 1 and square- free D > 1, look for an integer t and two primes r, q satisfying 

(1.1) r\q + l — t, r|$ fc (g), Aq = t 2 + Dy 2 for some y (CM equation), 

where $fc is the fc-th cyclotomic polynomial, and D is so-called CM discriminant. 
Then the CM method can produce an elliptic curve E over ¥ q with |i?(F g )| = 
q+l-t 

A well-known construction of pairing-friendly curves with fc and D fixed is called 
the complete family, which is due to [3, 7, 12, 16]. The idea is to parameterize 
t,r,q,y as polynomials and then choose t(x),r(x),q(x),y(x) satisfying (1.1) and 
such that r{x) is irreducible and q(x) is a power of an irreducible polynomial p(x). 
If moreover r(x) and p{x) satisfy some conditions which conjecturably guarantee 
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r(x) and p(x) to take prime values, then we call (t(x),r(x), q{x)) parameterizes 

a complete family of elliptic curves. For such a family, the p-value, denoted by 

p(t,r,q), is 

deg q(x) 
P(t,r,q) = rT . 

When furthermore r(x) is chosen to be $„(x) with k\n, this yields the most popular 
family called the cyclotomic family. We will give the details in Section 2. 

When considering about practice, both k and degr(a;) should not be too large. 
Following [8], a practical complete family (t(x),r(x),q(x)) means that k < 50 and 
degr(a;) < 40. 

In general, curves with small p-values are desirable in order to speed up arith- 
metic on the elliptic curves. The ideal case is p — 1. We call a complete family 
{t(x), r(x), q(x)) of pairing-friendly curves an ideal family if p(t, r, q) = 1. 

In this paper, we want to prove that there are no practical ideal cyclotomic 
families of pairing-friendly curves. For this purpose, we will first establish some 
theoretical criteria and then apply PARI/GP [14] to test the remaining cases. 

Okano [13] showed that for a cyclotomic family (t(x), r(x),q(x)) with embedding 
degree k and r(x) = $fc(x), if k = p or 2p for some odd prime (in this case, p should 
equal to 3 modulo 4), then p(t,r,q) 7^ 1. By using some methods different from 
those in [13] and based on the properties of cyclotomic polynomials, we can extend 
this result to more cases. 

Theorem 1.1. Let k be a positive integer and D a square-free positive integer. Put 

r{x) = $ fc (x). 

Suppose that {t(x),r{x),q{x)) parameterizes a complete family of elliptic curves 
with embedding degree k and discriminant D. If k = 2 m p n for some odd prime p 
and integers m > 0,n > 0, then we have 

p(t,r,q) ^ 1. 

Thanks to Theorem 1.1, practical ideal cyclotomic families (t(x),r(x),q(x)) 
with embedding degree k < 50 and r{x) = <&k(x) only possibly occur when fc £ 
{15,21,30,33,35,39,42,45}. 

For a more general cyclotomic family (t(x), r(x), q(x)) with embedding degree fc, 
r(x) = $>kd(x) and d > 2, it is complicated to get a criterion like Theorem 1.1. 

For uniformly dealing with those cases not covered by Theorem 1.1, we will design 
an algorithm executed in PARI/GP to construct cyclotomic families with minimum 
p-value with respect to (k,d). Based on these minimum p-values, it is directly to 
see that whether they are ideal. After making computations by computer, we get 
the following theorem. 

Theorem 1.2. There are no practical ideal cyclotomic families of pairing-friendly 
elliptic curves. 

2. Family of pairing-friendly elliptic curves 

In this section, following [8] wc will briefly introduce complete families of pairing- 
friendly curves for which the curve parameters t, r, q, y are given as polynomials 
t(x),r(x), q(x), y{x) in terms of x. 

A famous conjecture of Buniakowski and Schinzel (see [11, Page 323]) asserts 
that a nonconstant f(x) G X[x\ takes an infinite number of prime values if and only 
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if f(x) is irreducible with positive leading coefficient, and gcd({/(x) : x £ Z}) = f . 
Furthermore, a conjecture of Bateman and Horn [4] predicts the density of such 
prime values. In practice, we must also consider rational polynomials. 

Definition 2.1. Wc say that f(x) £ Q[x] represents primes if it satisfies the 
following conditions: 

(1) f(x) is nonconstant and irreducible with positive leading coefficient; 

(2) f(x) £ Z for some x £ Z: 

(3) gcd({/(») £ Z : x £ Z}) = 1. 

Definition 2.2. We say that a polynomial f(x) £ Q[x] represents integers if f(x) £ 
Z for some x £ Z. 

So when a rational polynomial f(x) represents primes, it is likely to take infinitely 
many prime values. Now we are ready to define complete families of elliptic curves. 

Definition 2.3. For a given positive integer k and positive square-free integer 
D, the triple (t(x),r(x),q(x)) £ Q[x] 3 parameterizes a complete family of elliptic 
curves with embedding degree k and discriminant D if the following conditions are 
satisfied: 

(1) q(x) is a power of a polynomial which represents primes; 

(2) r(x) represents primes and t{x) represents integers; 

(3) r{x)\q{x) + 1 - t{x) and r(x)\<f> k (t{x) - 1); 

(4) There exists some y(x) £ Q[x] representing integers such that 4g(x) = 
t{x) 2 + Dy{x) 2 . 

Barrcto, Lynn and Scott [3] and (independently) Brczing and Weng [7] both ob- 
served that we can generalize the Cocks-Pinch method to produce complete families 
of elliptic curves. Brezing and Weng gave the construction in greatest generality, 
we describe it below as stated in [8]. 

Theorem 2.4 (Brezing- Weng [7]). Fix a positive integer k and a positive square- 
free integer D. Then execute the following steps. 

(1) Find an irreducible polynomial r(x) £ 1\x\ with positive leading coefficient 
such that a number field K = Q[x]/(r(x)) contains \f — D and the k-th 
cyclotomic field. 

(2) Choose a pimitive k-th root of unity ^ £ K . 

(3) Let t(x) £ Q[x] be a polynomial mapping to £fc + 1 in K such that deg t{x) < 
degr(x). 

(4) Let y{x) £ Q[x] be a polynomial mapping to (£& — l)/y/—D in K such that 
degy(x) < degr(x). 

(5) Let q\x) £ Q[x] be given by (t(x) 2 + Dy(x) 2 )/4. 

Suppose that q(x) represents primes and both t{x) and y(x) represent integers. Then 
the triple (t(x),r(x),q(x)) parameterizes a complete family of elliptic curves with 
embedding degree k and discriminant D. The p-value of this family is 

2ma.x{dcgt(x),degy(x)} 



p(t,r,q) 



deg r{x) 



The cyclotomic families of elliptic curves are exactly constructed by the Brezing- 
Wcng method when r(x) is taken to be a cyclotomic polynomial $ Tl (cc) in the above 
theorem (in this case, k\n). 
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Searching for ideal complete families of elliptic curves is still an important open 
problem in pairing-based cryptography. So far there is only one known ideal com- 
plete family, constructed by Barreto and Nachrig [2] with fc = 12 and D = 3. We 
state it as follows: 

t(x) = 6a; 2 + 1, 

r(x) = 36a; 4 + 36a; 3 + 18a; 2 + 6x + 1, 

q(x) = 36a; 4 + 36a; 3 + 24a: 2 + 6a; + 1. 

3. Proof of Theorem 1.1 

In this section, we will prove Theorem 1.1 in five parts. 

First under the assumptions of Theorem 1.1, by using Theorem 2.4 we fix some 
notations. 

Put F = Q[x]/(r(x)), where r(x) = <&&(a;). Notice that there is a canonical 
isomorphism between F and Q(Cfe), and a: is a primitive fc-th root of unity in F. 
Fix a primitive fc-th root of unity (^ such that x —*■ £& under the isomorphism. 
Then t(x) maps to £f + 1 for some integer g such that 1 < g < fc and gcd(g, fc) = 1, 
so 

t(x) = x 9 + 1 (mod r(x)). 

Thus, y(x) maps to — -^ (Cf — l)-\/— D. Let yi(x) map to (( 9 — l)y/—D with degree 
less than degr(a;). Obviously degy(a;) = degyi(x). 
Thus, if s(x) corresponds to \/—D, we have 

j/i(x) = (a; 9 — l)s(a;) (mod r(x)) with dcgyi(a;) < degr(a;). 

Then to prove p(t, r, q) ^ 1, it is equivalent to show 

max{degi(a:),degj/i(a;)} > -degr(x). 

Theorem 3.1. // fc = 2 m for some integer m>0, then Theorem 1.1 is true. 

Proof. If fc = 1,2, then the result has been proved in [8, Proposition 2.9] or [13, 
Lemma 3.1]. 

Now suppose that m > 2. If m = 2, then D = 1. Otherwise if m > 3, then 
D = 1,2. 

First, assume that D = 1. Notice that \J— 1 = £ 2 . Then y\{x) = (x s — 
l)a; 2 = a; 2 +9 — a; 2 (mod r(a;)). Here r(a;) = a; 2 +1, and g is an odd 
integer. It is straightforward to show that 

' degyi(a;) = 2 m - 2 + g if 1 < g < 2™- 2 , 

degt(x) = g if 2 m ~ 2 < ,g < 2 m ~ 1 , 

degyi(x) = 2 m ~ 2 +g - 2 m ~ 1 if 2'"- 1 < g < 2 1 "- 1 + 2 m " 2 , 

dcgt(x) =g- 2™" 1 if 2'"- 1 + 2™- 2 < g < k. 

Therefore, we always have max{degt(x),dcgyi(a;)} > ^ dcgr(a;). 

Now assume that D — 2. It is well-known that \/^2 = C| + C8 = Cl' 2 ™ +Cfc™ ■ 
Then we have yi{x) = x 2 m - 2 +2 m - 3 + 3 + T 2™- 3 + 9 _ 2 ,2 m - 2 +2 m - 3 _ ^2™- 3 ^ mod r ( x )). 

Notice that g is an odd integer, then the term " — a; 2 +2 " is always non- 
vanishing. So degyi(x) > 2 m ~ 2 + 2 rn ~ 3 . Thus, we have deg y\ (x) > idegr(a;). D 

Theorem 3.2. If ' k = p n for some odd prime p and an integer n > 1, then Theorem 
1.1 is true. 
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Proof. If p = 1 (mod 4), then (t(x),r(x),q(x)) does not exist. So we only need to 
consider the case that p = 3 (mod 4) . 

For the case n = 1, the desired result has been proved in [13, Theorem 1.1]. Now 
we suppose that n > 2. 

Since k = p n with p = 3 (mod 4), D must be equal to p. It is well-known that 

p— 1 , \ p— 1 



Thus, 



Put 



-gG)«-se)*"- 



p-i 

yx(x) = V I - ) .T ap " ' +9 - V ( - I x ap '* (mod r(s)). 



^) - E (-) - ap "~ 1+9 - E f- 



2/2(2;) = /_] ( ~~ ) • C ° P (mod r(x)) with deg 2/2(2;) < degr(x). 

Since r(x) = ^ X<1V > every exponent of x appearing in r(x) is divisible by p. 

a=0 

Notice that every ap n ~ l + g is coprime to p. So deg 2/1 (2;) > deg 2/2(2;)- Then it 
suffices to consider y^ix). 

Since I 2^- ) = — 1 , it is easy to see that 

P-2 / x 

y 2 (a;) = l + ^(l+ (-))x ap "~ (modr(x)). 

Then degy 2 (x) < ±degr(x) if and only if (~) = -1 for all 2=i < o < p — 1. 
But the latter condition is impossible for p > 7. Indeed, for p > 7, there exists an 
integer & such that \Jpj2 < b < ^/p, then we have 

'b 2 \ , o 

- = 1 and v 2 < b < p. 

P J 
Now we suppose that p = 3. Then we have 

2/i (x) = 2a; 3 " _1+s + x 9 - 2x 3 "~ 1 - 1 (mod r(x)), 

where r(a;) = x 2 ' 3 + a; 3 + 1. It is straightforward to show that 

degt/i(a;) =3™- 1 +g if 1 < g < 3 n ~\ 
degt(x)=g if 3™- 1 < (?<2-3™^ 1 , 

degt{x) = g - 3 71 - 1 if 2 • 3™- 1 < .g < k. 

So we always have max{degi(a;),deg2/i(2;)} > \ degr(x). D 

Theorem 3.3. If k = 2p n for some odd prime p and some integer n > 1, then 
Theorem 1.1 is true. 

Proof. If p = 1 (mod 4), then (t(x),r(x),q(x)) does not exist. So we only need to 
consider the case that p = 3 (mod 4). 

For the case n = 1, the desired result has been proved in [13, Theorem 1.1]. Now 
we suppose that n > 2. 
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Since k = 2p n with p = 3 (mod 4), we have D = p. Notice that (k = — Cp™i we 
have 

p— 1 , v p— 1 



Then 



i/iW = £ (j) (-*) ap "" +9 - £ (;) (-^) ap "" (mod r(x)). 

Notice that r(x) = ^2 (—x) ap ■ If we put z = — x, then we can apply the same 
argument as the proof of Theorem 3.2. and wc can also get 



max{degt(z),degyi(z)} > -degr(z). 



□ 



To handle more complicated cases we need some preparations. 

For an odd prime p and integers m > 1, n > 1, it is well-known that 

p-i 

$ 2 ^(x) = £(-i)v* 2m -v'-\ 

a=0 

For each integer i > 1, define 

/i(a;) = a: 4 (mod $ 2 '™ P ™ (a:)) with deg /»(») < deg $ 2 »>p« (ar). 
By definition, every fi(x) is well-defined and unique. 
Lemma 3.4. We have fi(x) = x l for i < 2 m ~ 1 p n ~ 1 (p — 1). 
Lemma 3.5. For i = j ■ 2 m ~ 1 p n , j > 1, we have 
fito = (-1) J , 

P- 2 , s m_l „_1 

/i_ s (x) = £ (-l) a +J'2;( a+1 ) 2 p " s i/ 1 < s < 2 m " V" 1 , 

fi+.(x) = (-l) j x s ifl<s< 2 m - 1 p n - 1 (p - 1). 

Proof. We prove this lemma by induction. For j = 1, it is straightforward to verify 
the desired formulas. Now for j > 2, assume that the desired formulas are true for 

i - 1. 

Put a = j ■ 2 m 1 p n — 2 m l p n 1 . Then all we need to do is to compute f a (x). 
Notice that a - 1 = (j - l)2 m ~ V + 2 m ~ 1 p n - 1 (p - 1) - 1, by the assumption wc 
have f a -i{x) = (-l)i- 1 s 2 '"~ 1 *'"- 1 (p-i)-i . Thus 

p-2 

= E(- 1 ) a+ ^ Q2m " p "" ( mod ^-p- (*))■ 

a=0 

Then the other formulas follow easily. □ 

Theorem 3.6. Assume that k = 2 m p n for some odd prime p with p = 3 (mod 4) 
and integers m>2 and n > 1. XTien Theorem 1.1 is true. 
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Proof. If m = 2, then D = I, p. Otherwise if m > 3, then D = 1, 2,p or 2p. 



First, assume that D = 1. Since y — D = £, p , we have 



y x {x) = x 2 ™ 2p " +9 - x 2 ™ 2p " (mod r{x)). 

Here r(x) is a polynomial in terms of x 2 , and the two integers 2 m ~ 2 p n + g and 
2«i-2p?i navc different parities. Since 2 m ~ 2 p" < degr(a;), we have deg 2/1(2;) > 
2 m ~V > ^dcgr(x). 

Then suppose that D = 2. Since % /^2 = Cf + Cs = <^' 2m ~ V + £2 ro ~ V ^ we haye 

yi (x) = x 3 - 2m ~ 3 P"+s + ^—V+9 _ ^^—V _ ^""V (mod ,.(3.)). 

Notice that the two integers 3 • 2 m ~ 3 p n + g and 2" l_3 p n + (/ have the same parity, 
and the two integers 3 • 2 m ~ 3 p n and 2 m ~ 3 p n have the same parity, but 2 m ~ 3 p n + g 
and 2 m ~ 3 p n have different parities. Furthermore, 3 • 2 m ~ 3 p n < degr(x) if p > 3. 
So as before we have deg 2/1(2;) > 3 • 2 m ~ 3 p n > i degr(a;). 
If D = 2 and p = 3, we have 

Vl {x) = x 2 m - 3 3" + 1 + 3 + x 2 m - 3 3"+ S _ 2 ,2'"- 3 3"+ 1 _ a .2"- 3 3" ( m0Q i ^^ 

where r(x) = x 2 3 — x 2 3 + 1. Then we obtain 

nm — 3q?i + l I 9 tt1 ~3q ti i ~ c om-3on-l nm-3nn- 1 r>TTi — 3qti 

yi(x)=x 2 3 +9 + 2T d +s -x 52 3 +x 2 3 -x 2 3 (mod r(i)). 



Notice that 5 •2™- 3 3™- 1 < deg r(x). As before, we have deg y x (x) > 5-2 m - 3 3 n-1 > 
idegr(a;). 

p— 1 , \ m B _j 
Now suppose that D = p. Since -y/— p = S ( ~ ) Cfc P > we have 

W (s) = £ (-) x a2m ^""+9 - ^ (-} x a2 ' n P n " (mod r(x)). 



Put 



</2 



a=l ^/ S ^ 



P-l / \ 

(.t) = >^ ( — ) a ;Q2 p (mod r(x)) with deg 2/2(2;) < degr(a 

o=l ^' 



Notice that r(a;) is a polynomial with respect to x 2 , and every a2 m p n 1 + g is an 
odd integer. So deg 2/1(2;) > deg 2/2 (2;). Then we only need to consider 2/2(2;). Put 
z = x 2 " 1 p " , then r(x) = 3> 2p (z)- Define 



p- 1 , 
a 



ys(z) = J2[~) z2a ( m °d$2 P (z)) with degy 3 (z)< deg $ 2p (z)- 

a— 1 ^"/ 

Then deg 2/2(2;) = 2 m -V _1 deg 2/3(2). 
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Applying Lemma 3.5, we get 




(p-3)/2 , . . . p-1 , . 

»<•>- E (|)«*-G)«" 1+ S (!)«* 

o=l V ' P/ V ' P/ o=(p+l)/2 V ' P/ 


(p-3)/2 . . . p-2 p-1 , . 

- E >- + »-')•'- E ; )«~' 

a=l KF/ XF/ a=0 a=(p+l)/2 V ' P/ 


-£(£)«•+© D-D-*- -££)•• 

a=2 v ^ y V ^ 7 a=0 a=l V ^ 7 
a even a odd 


-e) 


p-2 . . p-2 . . 

a=0 Vjr/ a=0 Vjr/ 

_a even a odd 


(mod $2p0)) 



Since dcgy 3 (z) < ±<& 2 p(z) if and only if ( -J = -1 for all 2zi < a <p- 1. But in 
Theorem 3.2 we have showed that the latter condition is impossible for p > 7. So 
forp> 7, degy 3 (z) > 5$2p(z)- Thus, degyi(a;) > degy 2 (a;) > ^degrfx). 
For the case D = p and p = 3, we have 



where r(x) = x 
idegr(x). 



yt(x) = 2x 2 ™ l3 " 1+9 - x 9 - 2x 2m l3 " * + 1 (mod r(x)), 

1. Then as before we always have degj/i(a;) > 



2 m 3™~ 1 _„,2 m_1 3 n - 



Now assume that D = 2p. Since \/2 = £f — Cs = Cfe ^ P ~ (k P , we have 



^3-2 m " 3 p" ^2 m ~ 3 p" 



p-1 



^-^■/5-E ( 



a=l 



te* 



Then 

yi (x) = (x s -1) 

Put 



■p-1 / 



-£&' 



:a+p)2 m - 3 p 71 



(mod r{x)). 






p-i 

p (8a+3p)2 m - 3 p"- 1 ^ / a 



E S 



a=l 



.'(.' 



(8a+p)2 m ~ 3 p" 



(mod r(x)). 



Similar as before, we have degyi(x) > dcgy2(a0, then we only need to consider 

y2(x)- Set z — x 2 p , then r(x) — $8p(^)- Define 

y 3 (z) = J2 (~) z 8a+3p -]T (~) z8a+P ( mod <M Z )) with degy 3 (z) < deg$ 8p (z). 



a=l 



a=l 
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Obviously, deg 2/2(2;) = 2 m ~ 3 p"~ 1 deg 3/3(2). Furthermore, define 
p-i 



y 3 i(z) = ^(^)z 8a+3p (mod $ 8p (z)) with de g2 /3iW< deg $ 8p (z), 
0=1 



p-i 



2/32(2) = X^ (-) z8a+P ( mod $ 8 P (^)) with deg j/32 (z) < deg$ 8p (z). 

Since tf>s p (z) is a polynomial with respect to z A and for any two integers a and 6, 
8a + 3p is not congruent to 8a + p modulo 4, we have 

ys(z) = 2/31(2) -3/32(3). 

Furthermore we suppose that p = 3 (mod 8). Then we can define the following 
four non-negative integers a, (3, u and v, 

1 3 3^15 77 5 

— p = a -\ — , —p = p-\ — , — p = u -\ — , — p = v H — . 
8^ 8' 8^ M 8' 8^ 8' 8^ 8 

Applying Lemma 3.5, we obtain 
2/31(2) 

a-l / x / v p-2 m , s p-1 , s 

= E(^^ +3p +(^B- i ) a+i ^ +i - e (~k°- p+ e G;k~ 5p 

o=l V ^' ^' a=0 a=a + l ^' a=«+l ^ i ' 

-<§) - G) ) ^ 7+( (^ i ) - (§)*~ ,+ <!) - (^> 4 " 15+ - 

2/32(2) 

/3-1 / x / oX P-2 « / x p-1 



o=l V/V V/V a=0 a=^+l ^' a=v+l ^ ' 



r P 



(I ?J-W»- + ( IVM?J>~ +( (;'-i — »= 



Suppose that deg 2/3(2) < ideg$ 8p (2). Notice that <£ 8p (2) = 4(p — 1) and 
deg2/ 3 (2) = maxjdeg 2/31(2), deg2/32(2)}. For 2/31(2), if 8a - p > 2(p - 1), then 
a > |p — j , so we have 

For 2/32(2), similarly the inequality 8a — 3p > 2(p — 1) yields 
(3.2) (-} = (£\ ioru + l<a<v. 

So for /3 < a < v, every ( - ) has the same value as ( - ) • Obviously the number 
of these a is v — (3+1 = 2±1. This is impossible. So we always have deg 2/3 (2) > 
\ deg §8 P {z) if P = 3 (mod 8). Thus, deg 2/1 (x) > degy 2 (x) > ^degr(x). 
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Finally we suppose that p = 7 (mod 8) under the assumption D = 2p. As before 
we define the following four non-negative integers a, ft, u and v, 

l p=a+ l l p=0+ l l p=u+ l l p=v+ i 

Applying Lemma 3.5, we obtain 
2/32(2) 

- i (?) *" - ! (?) *~ + (?) s ( - i,v " 3 + 11 (?) ■-* 
-<f)-(;)'^ ,+ <i)-( ! T i )'^ + <^ 1 )-(;)'^ u+ " 



Suppose that deg 2/3(2;) < ideg$ 8p (z). Similarly as before, considering 2/32(2;) 
the inequality 8a + p > 2{p — 1) gives 

(3.3) /'-') = /'-') ifa+l<a</?, 

and the inequality 8a — 3p > 2(p — 1) gives 

(3.4) (- J = (-] forit + l<a<w. 

Since (/3 — a) + (v — v) = ^5—, by (3.3) and (3.4) we see that the number of a with 

1 < a < p — 1 such that ( - J takes the same value as ( - ] is at least 2±_ . This is 

impossible. So we always have deg 2/3(2:) > ^dcg^s p (z) if p = 3 (mod 8). Thus, 
degyi(x)>dcgy 2 (x)>^degr(x). □ 

Theorem 3.7. Assume that k = 2 m p n for some odd prime p with p = 1 ('mod ^ 
and integers to > 2 and n > 1. TTien Theorem 1.1 is true. 

Proof. If to = 2, then D — l,p. Otherwise if to > 3, then I? = 1, 2,p or 2j>. 

For the cases that D = 1,2, we can apply the same argument as the proof of 

Theorem 3.6 to verify the desired result. 

p— 1 , \ m n _ 1 
Now suppose that D — p. Since p = 1 (mod 4), we have y/p ~ J2 \~) Ck P > 

0=1 ^ p ' 
then 

a\ / .2 m -' 2 p n - 1 (ia+p) 
5fe 



*-^-E$<: 



Then 



V1 (X) = ^ f -^ x 2— V- 1 (4a +P ) +9 _ J2 f-\ a; 2'"-V- 1 (4a+p) (mod ^ 

Put 

j/a(x) = y^ ( - ) x 2 ™ 2p " 1 ( 4a +p) (mod r(x)) with degy 2 (a;) < degr(;c). 
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Notice that r(x) is a polynomial with respect to x 2 , and every 2 m ~ 2 p n ~ 1 (4a+p) + g 
and 2 m ~ 2 p"~ 1 (4a + p) have different parities. So deg 2/1(2) > deg 2/2(2). Then we 
only need to consider y2{x). Put z = 2 2 p , then r(x) = $4 P (z). Define 



y^) = E (£) ^ 4Q+P (mod 



$ 4 p(z)) with deg 2/3(2) < dcg$ 4 p(z). 



Then deg y 2 (x) = 2 m ~ 2 p n ~ 1 deg2/ 3 (z). 

Assume that p = 46 + 1. Applying Lemma 3.5, we have 



2/3 1 



5-1 , x 36 , s p-1 , 

(z) = ^(-) 2 4a +P + z 2 P- 1 + £ (2) «*•+* + ]T (- 



a=l 
6-1 



a=6+l 



a=36+l 



4a+p 



6-1 , v p-2 36 

EuK^+EMr 1 ^ 1 -- E 

a = l ^' a=0 a=6+l 



z 4a-p + 



p-1 

E 

a=36+l 



4a-3p 



6-1 



a=l 



p-2 



36 



\^ f " ] 2 2(2a+26) + l _|_ \^ /_^sa+l z 2a+l _ V^ I ® \ ^2(2a-2b-l) + l 



a=0 



a=6+l 



p-1 



a=36+l 
p-3 

E 

a=2(b+l) 
a even 



^ ( £ ) z 2(2a-66-2) + l (mod <J> 4p(z)) 



2a + 1 
P 



p-2 



p-2 



2o+l , V^/_j\o+1^2o+l _ V^ 



a=0 



a=l 
a odd 



2a + 1 



2a+l 



2(6-1) 
y^ ^ 2a + 1 I ^2a4 



a=0 
a even 



Notice that in the last identity every exponent of z is less than deg4>4 p (z) and 
z 4b+1 appears only one time. So deg 2/3(2) > 46 + 1 = p > h$4 P (z). Then, 
deg 2/1(2) > deg 2/2(2) > ±degr(2). 



Now assume that D = 2p. Since ^/~ : 2 = C§ + Cs = Cfe' 2 '" P " 



c.^.^-KDc 



3a+3p)2 m "' J p" 



P-1 / \ 



C fc p , we have 

a+p)2 m ' 3 p"- 1 



Then 

2/l(2) = (2^-1) 

Put 



J^ (-) a; (8«+3p)2 m - 3 I."- 1 + ^ M x (8a 



+p)2 m 3 p"- 



(mod r(a;)). 



p-i / 



a=l 



p-1 

8a+3p)2 m - 3 p'- 1 j_\7(«| ^(8a+p)2™- 3 p™- 1 



££" 



(mod ^(2)). 
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Similar as before, we have degyi(x) > deg 2/2 (x). Then we only need to consider 
y%{x). Set z — x 2 p , then r(x) — $ 8p (z). Define 

2/3(2) = Y, (-) z Sa+3p +Y (-) z8a+P ( mod <M Z )) with degj/ 3 (2) < deg$ 8p (z). 

Obviously, deg 2/2 (x) = 2 m ~ 3 p n_1 degya(z). Furthermore, define 

p-i / \ 
2/31 (z) = ^^jz 8a+3 P (mod $ 8p (z)) with deg 2/31(2) <deg$ 8p (z), 

p-i / \ 
2/32(2) = ^(-jz 8a +P (mod$ 8p (z)) with deg 2/32 (2) < deg$ 8p (z). 

Since $ 8p (z) is a polynomial with respect to z A and for any two integers a and 6, 
8a + 3p is not congruent to 8a + p modulo 4, we have 

2/3(2) = 3/31(2) +2/32(z). 

Furthermore we suppose that p = 1 (mod 8). Then we can define the following 
four non-negative integers a, /3, u and u, 

^=«+^, jjp-0+f, |«»=«h-|. |*=«+g- 

Applying Lemma 3.5, we obtain 
2/32(2) 

= E(f)* 8o4 *+(f)D- 1 ) 0+1 ^ 1 - E E)* 8o - 3p+ E (^ 8o " 7p 

o=l Vr/ ^ F/ a=0 a=/3+l ^ P/ a=v+l ^ P 



( iiJ-W^' +( (VJ-(F^" +( (;'-'^'" 



Suppose that deg 2/3(2) < i deg$ 8p (z). Similarly as before, considering 2/32(2) 
the inequality 8a + p > 2(p — 1) gives 

(3.5) (!)_(£) *« S ° SA 

and the inequality 8a — 3p > 2{p — 1) gives 

(3.6) ('-') = (-} foi-u + l<a<v. 

Since (/3 — a + 1) + (v — u) = ^±— , by (3.5) and (3.6) we see that the number of 

a with 1 < a < p — 1 such that ( - ) takes the same value as ( - J is at least 2±_ . 

This is impossible. So we always have deg 2/3(2) > ideg$ 8p (z) if p = 1 (mod 8). 
Thus, deg 2/1 (x) > deg y 2 (x) > idegr(x). 

Finally we suppose that p = 5 (mod 8) under the assumption D = 2p. As before 
we define the following four non-negative integers a, /3, u and v, 

I 5 3^75 17 3 

— p = a H — , —p = p-\ — , — p = u -\ — , — v = v H — . 
8^ 8' 8^ M 8' 8^ 8' 8^ 8 
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Applying Lemma 3.5, we obtain 

2/32(z) 

o=l VF/ o=0+l ^ F/ ^ F/ a=0 a=v+l Vi ^ / 



{{ i)-{-vP" +{ {i)-{— r* +\—)-\i^ 



Suppose that deg 2/3(2) < ideg$ 8p (,z). Similarly as before, considering 2/32(2) 
the inequality 8a + p > 2(p — 1) gives 

(3.7) (-} = (-} ifa+l<a</?, 

and the inequality 8a — 3p > 2(p — 1) gives 

(3.8) ( - J = ( - J for u < a < v. 

Since (j3 — a) + (v — u + 1) = ^-, by (3.7) and (3.8) we see that the number of 

a with 1 < a < p — 1 such that ( - J takes the same value as ( - J is at least %i- . 

This is impossible. So we always have deg 2/3(2) > idcg$ 8p (z) if p = 5 (mod 8). 
Thus, degyi(x) > deg 2/2 (s) > 5 deg r (a;). 

D 

4. Proof of Theorem 1.2 

In this section, we will prove Theorem 1.2 with the help of computer. 

Given a general cyclotomic family (t(x),r(x),q(x)) with embedding degree k, 
r(x) = &kd(x) and d > 1. Considering about practice, we require that k < 50 and 
(p(kd) < 40, where y> is the Euler's totient function. 

When d = 1, then r(a;) = $fc(x), due to Theorem 1.1 we only need to test the 
cases k e {15, 21, 30, 33, 35, 39, 42, 45}. 

When d > 2, a general theoretical testing will be complicated. Here we would like 
to design an algorithm executed by using PARI/GP to test all the cases satisfying 
k < 50 and <p(kd) < 40. 

For a cyclotomic family (t(x),r(x), q(x)) with embedding degree k and discrimi- 
nant D, where r(x) = &kd(x), fix an isomorphism: Q[x]/(r(x)) — > Q(Cfcd) such that 
x maps to a fcd-th primitive root of unity ^d- Then x d maps to a fc-th primitive 
root of unity Ck- Since t(x) — 1 maps to a fc-th primitive root of unity, we have 

t(x) = x dg + 1 (mod r(x)) 

for some integer g such that 1 < g < k and gcd(.g, k) = 1. Notice that y(x) maps to 
— -jj(Cfc — 1) v 7 — -D, we need to find the representative s(x) of \/—D in Q[x]/(r(x)) 
with dcgs(x) < degr(x), then 

y{x) = (x ds — l)s(x) (mod r{x)). 

For finding s(x), we use a method in [10]. Here notice that r(x) represents primes 
and t(x) represents integers automatically. 
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Since testing representing integers and representing primes are indispensable in 
constructing polynomial families of pairing-friendly curves, we develop two func- 
tions "reintcger" and "reprime" in PARI/GP respectively to achieve such test. 
According to the discussions below Definition 2.5 of [8], here we only state the 
main technique. 

For a given polynomial f{x) £ Q[x], let N be the least common multiple of the 
denominators of its coefficients. To test whether it represents integers, we only need 
to calculate f(n) for < n < N. Compute M = gcd({/(n) € Z : < n < N}). 
Suppose that M^ 1. Then for every prime factor p of M, to determine whether 
p\ gcd({/(x) E Z : x E Z}), we only need to test whether f(n) is divisible by p for 
all < n < pM when f(n) E Z. If p \ gcd({/(a;) € Z : x £ Z}) for every prime 
factor p of M, then we have gcd({f(x) 6Z:i£ Z}) = 1. 

When calling "reprimc(/)", if / represents primes, the function will return "1", 
otherwise it will return "0" . Here we want to remind the readers that / must be 
a polynomial in terms of x. The function "reintcger" has the same syntax. The 
source codes are below. 

• reinteger (f)={N=denominator( content (f ) ) ; in=-l ;f or(i=0,N-l , 
x=i; if (f rac(eval(f ) )==0,in=i ; break) ) ; if (in==-l ,kill(x) ; 
return(O) ,kill(x) ;return(l))}- 

• reprime(f)={ if (poldegree(f )==0 I |polisirreducible(f )==0 I I 
pollead(f )<0,kill(x) ; return (0) , N=denominat or (content (f) ) ; in=-l ; 
f or ( i=0 , N-l , x=i ; if (f rac (eval (f ) ) ==0 , in=i ; break) ) ; if ( in==- 1 , 
kill(x) ;return(0) ,x=in;Nl=eval(f ) ;f or(i=in+l,N-l,x=i ; 

if (f rac (eval (f ) )==0,Nl=gcd(Nl ,eval(f ) ) ) ) ; if (Nl==l ,kill(x) ; 
return(l) ,A=f actor (Nl) ;B=matsize(A) ;f or (i=l ,B [1] ,M=N*A[i,l] ; 
in=-l;for(j=0,M,in=j ;x=j ;e=eval(f) ; if (f rac(e)==0&Mod(e, A[i, 1] ) !=0, 
break)) ; if (in==M,kill(x) ;return(0) ) )) ;kill(x) ;return(l) ) )} 

Algorithm 1 is essentially an application of the Brezing-Weng method. Based 
on Algorithm 1, we develop a function called "cyclotomic" . The syntax of this 
function is "cyclotomic(fc,d)", where k and d are exactly the inputs. The outputs 
are k,d,D, {t(x),r{x),y{x),q{x)) with minimum p-value, q(x) representing primes 
and y(x) representing integers. The source code is below. 

cyclotomic (k,d)={kl=k*d;r=polcyclo(kl , z) ;F=nf init (r) ;dO=eulerphi(k) ; 
s=f actorback(f actor (kl) [, 1] ) ;D0=divisors(s) ; cO=matsize(DO) ;m=0;D= 
vector (cO [2] ) ; f or (i=l , cO [2] , if (Mod(kl , -quaddisc (-DO [i] ) )==0 ,m=m+l ; 
D [m] =D0 [i] ) ) ; if (m==0, return (print ("No such cyclotomicf amilies") ) , 
g=vector(d0) ; t=matrix(m,dO) ;y=matrix(m,dO) ;q=matrix(m,dO) ; 
rho=matrix(m,dO) ;print() ; j=0; f or (n=l ,k, if (gcd(n,k)==l , j=j+l ;g[j] =n) ) ; 
f or (i=l,m,sD=nf roots (F,x~2+D[i]) ;sqD=sD[2] .pol;f or (n=l ,d0,t [i,n] = 
lift (Mod(z~ (d*g [n] ) +1 ,r) ) ; y [i ,n] =lif t (Mod(- (z~ (d*g [n] ) -1) *sqD/D [i] , r) ) ; 
q[i,n]=(t [i,n] ~2+D [i] *y [i,n] "2)/4; if (reprime (subst (q[i,n] ,z,x))& 
reinteger (subst (y [i,n] ,z,x) ) ,rho [i,n]=(2*max(poldegree(t [i,n] ) , 
poldegree(y [i,n] ) ) )/eulerphi(kl) ,rho [i,n]=10)))) ;p=vecmin(rho) ; 
if (p==10,return(print ("No such cyclotomic families") )) ;print("k=" , 
k, " " , "d=" ,d, " " , "r(x) = " , subst (r ,z,x)) ; print ("rhovalue=" ,p) ; 
print () ;f or (i=l ,m,f or (n=l ,d0, if (rho [i,n] ==p&polisirreducible(q[i,n] ) , 
print ("D=",D[i] ," ", "t(x)=" , subst (t [i,n] ,z,x)," ","y(x)=", 
subst (y [i,n] ,z,x) ," " , "q(x)=" , subst (q[i ,n] ,z,x)) ; print ())))} 
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For each 1 < k < 50, Table 1 gives the parameters (d, D, p, dcgr(x)) for con- 
structing the cyclotomic families with minimum p-valuc with respect to k such 
that dcgr(a;) < 40. For example, given k and (d, D, p, degr(cc)), one can apply 
"cyclotomic(/c, <i)" to construct all cyclotomic families with minimum p-value with 
respect to (k,d), then according to (D, p, degr(x)) one can find the correspond- 
ing families. Notice that for a given k, there may exist several cyclomotic families 
with minimum p-valuc, here among them we choose the families with minimum 
d. Based on these minimum p- values, we can easily determine whether there exist 
ideal cyclotomic families. 

From this table, we conclude that there are no practical ideal cyclotomic families 
of pairing-friendly curves. 

Finally, we would like to indicate that Table 1 reconfirms Table 5 in [8] when 
therein choosing cyclotomic families for k, for example 7 < k < 11. 

Algorithm 1 Constructing cyclotomic families with minimum p-value 

Input: k, d. 

Output: k,d,D, (t(x), r(x), y{x), q(x)) with minimum p-valuc, q(x) representing 
primes and y(x) representing integers. 
1: Construct the set S consisting of all square-free factors D of kd with \J—D <G 

Q(Ckd). 

2: Construct the set G consisting of all 1 < g < k with gcd(g, k) = 1. 

3: for all D e S do 

4: for all g 6 G do 

5: Find the representative s(x) of \J — D. 

6: Calculate t(x),y(x),q(x), p-value and test whether q(x) represents 

primes and whether y(x) represents integers by calling "reprime" and "rein- 

teger" respectively. 
7: Memorize those constructed families with q(x) representing primes and 

y(x) representing integers. 
8: end for 
9: end for 

10: Calculate the minimum p-value and corresponding families. 
11: Output the families with minimum p-valuc. If they don't exist, output "No 

such cyclotomic families" . 
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